Posted: Friday, June 11 2010 at 06:00 am CT by Bob Sullivan Imagine this scenario: Estonia, a NATO member, is cut off from the Internet by cyber attackers who besiege the country's bandwidth with a devastating denial of service attack. Then, the nation's power grid is attacked, threatening economic disruption and even causing loss of life as emergency services are overwhelmed. As international outcry swells, outside researchers determine the attack is being sponsored by a foreign government and being directed from a military base. Desperate and outgunned in tech resources, Estonia invokes Article 5 of the NATO Treaty -- an attack against one member nation is an attack against all. It requests an immediate response from its military allies: Bomb the attacker's command-and-control headquarters to stop the punishing cyber attack.

Now, the U.S. government is faced with a chilling question: Should it get dragged into a shooting war by a cyber attack on an ally? Or should it decline and threaten the fiber of the NATO alliance?

About half this fictional scenario occurred in 2007, when Estonian government and financial Web sites were crippled by a cyber attack during a dispute with Russia. That incident never escalated to this hypothetic level, however: The source of the attack was unclear, physical harm did not occur and Estonia never invoked Article 5.

The incident did, however, get other NATO members thinking: When would they be required to rise to the defense of an ally during a cyber attack?

[/size]

Last year, a working group led by former U.S. Secretary of State Madeline Albright was formed by NATO to study the future of the alliance in a post Cold War world. When the group issued its report last month, aimed at helping NATO form a new “Strategic Concept,” the thorny issues raised by cyber war were listed as one of the three toughest challenges facing the alliance. NATO is expected to approve the Strategic Concept this November during a meeting in Lisbon, and cyber war issues will be hotly debated.

Mutual defense is the heart of the NATO alliance, formed in 1949 in the wake of World War II, largely to combat the aspirations of an expanding Soviet Union. Article 5 lays out the obligations of members in plain language:

"The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them ... will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area."

Despite all the attention Article 5 has received during the 60-plus years of NATO, it has been invoked only once -- after the 9/11 attacks. That led to an alliance attack to remove the Taliban from power in Afghanistan.

That means the odds of a rudimentary botnet attack against a NATO member leading to war are quite small. They are not zero, however. The Albright group's report, titled "NATO 2020," was stark in its assessment -- ignoring the issue would probably only encourage attackers.

[size="3"]"The next significant attack on the Alliance may well come down a fiber optic cable," it reads. "A cyber attack that leads to chaos in one city may inspire copy-cat criminals in another. Due to the reach of modern media, even terrorist groups and pirate bands now have public relations specialists and NATO, when and wherever it acts (or fails to act), will do so with a global audience."

'What is the threshold for crossing the cyber line?'Roger Cressey, a former member of the U.S. National Security Council, said there is a long list of unanswered questions that NATO hasn't begun to resolve.

"If there is a cyber attack, does NATO respond in kind? Do the NATO allies with the most advanced cyber capabilities respond on behalf of the member that was attacked?" wondered Cressey, now a consultant with Good Harbor Consulting and an NBC analyst. "Should a response be limited only to cyberspace or should kinetic options be on the table too? This raises some very important issues -- do you attack another country with missiles and aircraft in response to a cyber attack? What is the threshold for crossing the cyber line and into physical responses?"